cleanup the environment before submitting jobs (#3628)

* sanitize the job environment

* sanitize bc jobs

* climate_control not only dev/test gem now

* should not have added pry

apps/dashboard/Gemfile

@@ -21,7 +21,6 @@ gem 'sdoc', group: :doc, require: false
 group :development, :test do
  # Call 'byebug' anywhere in the code to stop execution and get a debugger console
  gem 'byebug'
- gem 'climate_control', '~> 0.2'
  gem 'timecop', '~> 0.9'
 end
 
@@ -50,6 +49,7 @@ gem 'dotiw'
 gem 'local_time', '~> 1.0.3'
 gem 'zip_kit', '~> 6.2'
 gem 'rss', '~> 0.2'
+gem 'climate_control', '~> 0.2'
 
 gem 'jsbundling-rails', '~> 1.0'
 gem 'cssbundling-rails', '~> 1.1'

apps/dashboard/app/models/batch_connect/session.rb

@@ -4,6 +4,7 @@ module BatchConnect
  class Session
  include ActiveModel::Model
  include ActiveModel::Serializers::JSON
+ include SanitizedEnv
 
  # This class describes the object that is bound to the ERB template file
  # when it is rendered
@@ -309,7 +310,9 @@ def submit(opts = {})
  job_script_options_file.write(JSON.pretty_generate(options))
 
  # Submit job script
- self.job_id = adapter.submit script(content: content, options: options)
+ ClimateControl.modify(sanitized_env) do
+ self.job_id = adapter.submit script(content: content, options: options)
+ end
  db_file.write(to_json, perm: 0o0600)
  true
  rescue => e # rescue from all standard exceptions (app never crashes)

apps/dashboard/app/models/concerns/sanitized_env.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+# Sanitize an environment by returning a new Hash that can
+# be used with ClimateControl to submit jobs with that new
+# environment.
+module SanitizedEnv
+ PREFIXES = [
+ 'SECRET', 'PASSENGER', 'BUNDLE',
+ 'RACK', 'HTTP', 'NODE', 'RAILS', 'RUBY',
+ 'GEM', 'NGINX'
+ ].freeze
+
+ def sanitized_env
+ # these are all one offs that we should clear so they don't conflict
+ # with the job.
+ {
+ 'LD_LIBRARY_PATH' => nil,
+ 'MANPATH' => nil,
+ 'PYTHONUNBUFFERED' => nil,
+ 'X_SCLS' => nil,
+ 'WSGI_ENV' => nil,
+ 'ALLOWED_HOSTS' => nil,
+ 'IN_PASSENGER' => nil,
+ 'SERVER_SOFTWARE' => nil,
+ 'PKG_CONFIG_PATH' => nil
+ }.merge(sanitize_env(Regexp.new(PREFIXES.join('|'))))
+ end
+
+ def sanitize_env(prefix)
+ ENV.select do |key, _value|
+ key.start_with?(prefix)
+ end.map do |key, _value|
+ [key, nil]
+ end.to_h
+ end
+end

apps/myjobs/app/models/concerns/sanitized_env.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+# Sanitize an environment by returning a new Hash that can
+# be used with ClimateControl to submit jobs with that new
+# environment.
+module SanitizedEnv
+ PREFIXES = [
+ 'SECRET', 'PASSENGER', 'BUNDLE',
+ 'RACK', 'HTTP', 'NODE', 'RAILS', 'RUBY',
+ 'GEM', 'NGINX'
+ ].freeze
+
+ def sanitized_env
+ # these are all one offs that we should clear so they don't conflict
+ # with the job.
+ {
+ 'LD_LIBRARY_PATH' => nil,
+ 'MANPATH' => nil,
+ 'PYTHONUNBUFFERED' => nil,
+ 'X_SCLS' => nil,
+ 'WSGI_ENV' => nil,
+ 'ALLOWED_HOSTS' => nil,
+ 'IN_PASSENGER' => nil,
+ 'SERVER_SOFTWARE' => nil,
+ 'PKG_CONFIG_PATH' => nil
+ }.merge(sanitize_env(Regexp.new(PREFIXES.join('|'))))
+ end
+
+ def sanitize_env(prefix)
+ ENV.select do |key, _value|
+ key.start_with?(prefix)
+ end.map do |key, _value|
+ [key, nil]
+ end.to_h
+ end
+end

apps/myjobs/app/models/resource_mgr_adapter.rb

@@ -4,6 +4,8 @@
 # OodJob errors will be caught and re-raised as PBS::Error objects
 class ResourceMgrAdapter
 
+ include SanitizedEnv
+
  attr_reader :workflow
 
  def initialize(workflow)
@@ -34,8 +36,9 @@ def qsub(script_path, host: nil, depends_on: {}, account_string: nil)
  job_array_request: workflow.job_array_request.presence,
  copy_environment: workflow.copy_environment.eql?("1") ? true : false
  )
- adapter(cluster).submit( script, **depends_on)
-
+ ClimateControl.modify(sanitized_env) do
+ adapter(cluster).submit(script, **depends_on)
+ end
  rescue OodCore::JobAdapterError => e
  raise PBS::Error, e.message
  end